[PATCH AUTOSEL 4.4 23/33] Bluetooth: Only mark socket zapped after unlocking

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>,
	Balakrishna Godavarthi <bgodavar@codeaurora.org>,
	Manish Mandlik <mmandlik@chromium.org>,
	Marcel Holtmann <marcel@holtmann.org>,
	Sasha Levin <sashal@kernel.org>,
	linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 23/33] Bluetooth: Only mark socket zapped after unlocking
Date: Sun, 18 Oct 2020 15:27:18 -0400	[thread overview]
Message-ID: <20201018192728.4056577-23-sashal@kernel.org> (raw)
In-Reply-To: <20201018192728.4056577-1-sashal@kernel.org>

From: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>

[ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ]

Since l2cap_sock_teardown_cb doesn't acquire the channel lock before
setting the socket as zapped, it could potentially race with
l2cap_sock_release which frees the socket. Thus, wait until the cleanup
is complete before marking the socket as zapped.

This race was reproduced on a JBL GO speaker after the remote device
rejected L2CAP connection due to resource unavailability.

Here is a dmesg log with debug logs from a repro of this bug:
[ 3465.424086] Bluetooth: hci_core.c:hci_acldata_packet() hci0 len 16 handle 0x0003 flags 0x0002
[ 3465.424090] Bluetooth: hci_conn.c:hci_conn_enter_active_mode() hcon 00000000cfedd07d mode 0
[ 3465.424094] Bluetooth: l2cap_core.c:l2cap_recv_acldata() conn 000000007eae8952 len 16 flags 0x2
[ 3465.424098] Bluetooth: l2cap_core.c:l2cap_recv_frame() len 12, cid 0x0001
[ 3465.424102] Bluetooth: l2cap_core.c:l2cap_raw_recv() conn 000000007eae8952
[ 3465.424175] Bluetooth: l2cap_core.c:l2cap_sig_channel() code 0x03 len 8 id 0x0c
[ 3465.424180] Bluetooth: l2cap_core.c:l2cap_connect_create_rsp() dcid 0x0045 scid 0x0000 result 0x02 status 0x00
[ 3465.424189] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 4
[ 3465.424196] Bluetooth: l2cap_core.c:l2cap_chan_del() chan 000000006acf9bff, conn 000000007eae8952, err 111, state BT_CONNECT
[ 3465.424203] Bluetooth: l2cap_sock.c:l2cap_sock_teardown_cb() chan 000000006acf9bff state BT_CONNECT
[ 3465.424221] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 3
[ 3465.424226] Bluetooth: hci_core.h:hci_conn_drop() hcon 00000000cfedd07d orig refcnt 6
[ 3465.424234] BUG: spinlock bad magic on CPU#2, kworker/u17:0/159
[ 3465.425626] Bluetooth: hci_sock.c:hci_sock_sendmsg() sock 000000002bb0cb64 sk 00000000a7964053
[ 3465.430330]  lock: 0xffffff804410aac0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
[ 3465.430332] Causing a watchdog bite!

Signed-off-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Reported-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
Reviewed-by: Manish Mandlik <mmandlik@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/l2cap_sock.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index e562385d9440e..30731ce390ba0 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1330,8 +1330,6 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
 
 	parent = bt_sk(sk)->parent;
 
-	sock_set_flag(sk, SOCK_ZAPPED);
-
 	switch (chan->state) {
 	case BT_OPEN:
 	case BT_BOUND:
@@ -1358,8 +1356,11 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
 
 		break;
 	}
-
 	release_sock(sk);
+
+	/* Only zap after cleanup to avoid use after free race */
+	sock_set_flag(sk, SOCK_ZAPPED);
+
 }
 
 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
-- 
2.25.1

next prev parent reply	other threads:[~2020-10-18 19:29 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-18 19:26 [PATCH AUTOSEL 4.4 01/33] media: firewire: fix memory leak Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.4 02/33] media: ati_remote: sanity check for both endpoints Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.4 03/33] media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.4 04/33] media: exynos4-is: Fix a reference count leak " Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 05/33] media: exynos4-is: Fix a reference count leak Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 06/33] media: bdisp: Fix runtime PM imbalance on error Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 07/33] media: media/pci: prevent memory leak in bttv_probe Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 08/33] media: uvcvideo: Ensure all probed info is returned to v4l2 Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 09/33] mmc: sdio: Check for CISTPL_VERS_1 buffer size Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 10/33] media: saa7134: avoid a shift overflow Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 11/33] ntfs: add check for mft record size in superblock Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 12/33] PM: hibernate: remove the bogus call to get_gendisk() in software_resume() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 13/33] scsi: mvumi: Fix error return in mvumi_io_attach() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 14/33] scsi: target: core: Add CONTROL field for trace events Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 15/33] usb: gadget: function: printer: fix use-after-free in __lock_acquire Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 16/33] udf: Limit sparing table size Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 17/33] udf: Avoid accessing uninitialized data on failed inode read Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 18/33] ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 19/33] misc: rtsx: Fix memory leak in rtsx_pci_probe Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 20/33] reiserfs: only call unlock_new_inode() if I_NEW Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 21/33] xfs: make sure the rt allocator doesn't run off the end Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 22/33] usb: ohci: Default to per-port over-current protection Sasha Levin
2020-10-18 19:27 ` Sasha Levin [this message]
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 24/33] scsi: ibmvfc: Fix error return in ibmvfc_probe() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 25/33] brcmsmac: fix memory leak in wlc_phy_attach_lcnphy Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 26/33] rtl8xxxu: prevent potential memory leak Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 27/33] Fix use after free in get_capset_info callback Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 28/33] tty: ipwireless: fix error handling Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 29/33] ipvs: Fix uninit-value in do_ip_vs_set_ctl() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 30/33] reiserfs: Fix memory leak in reiserfs_parse_options() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 31/33] brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 32/33] usb: core: Solve race condition in anchor cleanup functions Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 33/33] ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e562385d9440 dfblob:30731ce390ba )
 OR (
bs:"[PATCH AUTOSEL 4.4 23/33] Bluetooth: Only mark socket zapped after unlocking" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201018192728.4056577-23-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=abhishekpandit@chromium.org \
    --cc=bgodavar@codeaurora.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=mmandlik@chromium.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox